game-dev-rust-godot
Warn
Audited by Snyk on May 12, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill explicitly requires fetching assets and code from public third‑party sites—SKILL.md lists kenney.nl, opengameart.org, freesound.org as asset sources and references/rust-macroquad.md shows wget from GitHub for mq_js_bundle.js—so the agent is expected to ingest untrusted, user-generated web content (assets/code) during its workflow which could materially affect decisions or actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The guide explicitly instructs downloading and using the Macroquad JS bundle at https://github.com/not-fl3/macroquad/releases/download/v0.4.0/mq_js_bundle.js (via wget), which is fetched at build/runtime and will execute as remote JavaScript required for the game's web runtime.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata